1

I read through RFC5869 and I didn't see any recommended or required octet length of the IKM used in the HKDF-Extract operation. Is there any relationship between the Hash method used in the HKDF-Expand operation and the IKM length? e.g. when using SHA-256 this requires the IKM to be a 256-bit key.

RishiD
  • 113
  • 3
  • My recommendation would be just use 256-bit keys for everything. However, @knaccc has rightly pointed out that that doesn't always mean 256 bits of entropy. – samuel-lucas6 Jul 22 '22 at 17:57

1 Answers1

2

The extract step is simply $\texttt{HMAC-Hash(salt, IKM)}$

The output length of your hash will determine the maximum entropy produced by $\texttt{HKDF-Extract}$.

The octet length of your IKM is not the same as the entropy of the IKM.

For example, a 256-bit EC Diffie-Hellman shared secret would only have around 128 bits of entropy.

You should decide on your security level, ensure your choice of $\texttt{HKDF-Hash}$ can output at least that octet length, and then ensure your IKM contains at least that much entropy.

knaccc
  • 4,732
  • 1
  • 16
  • 30